A new ransomware group named Anubis is aggressively targeting critical industries like healthcare and engineering across the globe. Appearing in late 2024, the group uses a powerful double extortion strategy, encrypting data while also threatening to leak it. Anubis operates a Ransomware-as-a-Service (RaaS) model, which allows its attacks to spread quickly by using affiliates, posing a significant new threat to essential services worldwide.
Healthcare and Engineering Firms in the Crosshairs
Anubis is not random in its choice of victims. The group strategically targets industries where downtime can cause severe financial and public harm, increasing the pressure on companies to pay the ransom. This calculated approach is already creating a list of victims in vital sectors.
The focus on healthcare is particularly alarming, as any disruption can impact patient care and safety. Engineering and construction firms are also prime targets because project delays can lead to massive financial penalties. This pattern shows Anubis is deliberately going after businesses that are essential to public infrastructure and well-being.
| Victim Name | Country | Industry |
| Pound Road Medical Centre | Australia | Healthcare |
| Summit Home Health | Canada | Healthcare |
| Comercializadora S&E Perú | Peru | Engineering & Construction |
| Unidentified Engineering Firm | United States | Engineering |
The RaaS Model Fueling Anubis’s Rapid Rise
Unlike traditional ransomware gangs, Anubis uses a business model known as Ransomware-as-a-Service, or RaaS. This means the core group develops the malicious software and infrastructure, then leases it out to other cybercriminals, called affiliates. These affiliates carry out the attacks and share a portion of the ransom money with the Anubis operators.
This RaaS model allows Anubis to launch a high volume of attacks without needing a large, centralized team. It effectively crowdsources cybercrime, attracting hackers with different skill levels who are eager to profit from a proven ransomware tool.
The group’s operation is built on a few key pillars:
- Affiliate Recruitment: Actively seeking out other criminals on underground forums to expand their network and reach.
- Double Extortion: First, they encrypt the victim’s files, making them inaccessible. Second, they threaten to publish the sensitive data they stole before the encryption, adding immense pressure on the victim.
- Dark Web Presence: Anubis operators are active on well-known cybercrime forums like RAMP and XSS, using aliases to build their brand and recruit new members.
This approach is highly effective and has been used by some of the most successful ransomware groups in recent years. It suggests the operators behind Anubis are experienced and know how to run a profitable criminal enterprise.
Russian-Speaking Operators and Dark Web Connections
Clues found on dark web forums point to the group’s origins. Threat intelligence firm KELA reported that Anubis representatives communicate in Russian, which strongly suggests they are part of the larger Russian-speaking cybercrime ecosystem. This is a common trait among major ransomware groups, who often operate from regions with lax law enforcement against cybercriminals targeting Western countries.
Researchers also believe that the individuals behind Anubis may not be new to the scene. The sophistication of their tactics and their rapid emergence suggest they could be former affiliates of other notorious ransomware gangs. This experience would explain why they were able to establish a professional-looking operation so quickly and successfully hit high-value targets from the start.
A Growing Threat to Critical Infrastructure
The arrival of Anubis highlights a dangerous trend in cybersecurity. Ransomware is increasingly being used as a weapon against the most sensitive parts of our society. This shift from targeting small businesses to critical infrastructure has serious implications.
Sectors like healthcare and engineering are more likely to pay ransoms because they cannot afford long periods of disruption. Criminals know this and are exploiting it for maximum financial gain. The use of a RaaS model also means that the number and variety of attacks will likely increase as more affiliates join the Anubis network. The Russian-speaking origin of the group also raises concerns about potential state-level protection or tolerance for their activities.
For businesses in these critical sectors, the message is clear. It is more important than ever to invest in strong cybersecurity defenses, maintain secure offline backups of critical data, and stay informed about emerging threats like Anubis.
Frequently Asked Questions about Anubis Ransomware
What is Anubis ransomware?
Anubis is a new ransomware group that appeared in late 2024. It targets critical industrial sectors like healthcare and engineering using a Ransomware-as-a-Service (RaaS) model and double extortion tactics.
What is double extortion?
Double extortion is a two-stage attack. First, the criminals steal a victim’s sensitive data. Second, they encrypt the victim’s files and threaten to leak the stolen data online if the ransom is not paid.
Why is Anubis targeting critical industries?
Anubis targets these industries because they are highly dependent on their operational systems. Any downtime can cause severe financial, reputational, and public safety consequences, which makes these organizations more likely to pay a ransom quickly.
Who is behind the Anubis group?
Evidence suggests the operators are Russian-speaking and active on dark web forums. Cybersecurity experts believe they may be experienced cybercriminals who were previously involved with other major ransomware operations.
How can businesses protect themselves from Anubis?
Organizations should strengthen their cybersecurity posture by implementing multi-factor authentication, keeping systems patched, and training employees to spot phishing attempts. It is also crucial to have a robust and tested backup and recovery plan to restore operations without paying a ransom.
